masergy security wp - a fresh approach to holistic managed security 11.2015
TRANSCRIPT
W H I T E P A P E R
Managed Security
A H O L I S T I C A P P R OAC H TO
I N T E G R AT E D, B E H AV I O R A L- B A S E D
N E T W O R K S E C U R I T Y
Unified Enterprise Security
rev. 110615
2
Managed Security
Table of Contents
Executive Summary 3
Introduction 3
The Current Approach to Securing Network: A False Sense of Security 4
Defense-in-Depth: The Market’s Flawed Attempt to Address APTs 9
The Real Security Problem: Failure to Connect the Dots 11
Behavioral-Based Unified Security: A Holistic Approach to Detecting APTs 12
Masergy Unified Enterprise Security™ 14
Masergy Unified Enterprise Security Architecture 15
Masergy Solutions Overview 18
Masergy Unified Enterprise Security Configurations 21
Conclusion 23
About Masergy 24
3
Managed Security
Executive Summary
Internet-based attacks are a serious threat to any public or private organization’s information technology systems.
Despite a substantial increase in spending for cyber security over the past few years, new and evolving Internet
security threats remain widespread and most cyber defense solutions are woefully inadequate. While many powerful
point solutions exist to protect specific pockets of vulnerability, industry analysts agree that the next evolutionary
leap in security technology will focus on the development of a systemic cyber security architecture that’s capable of
providing true subsystem integration of disparate security applications within a unified threat management system.
Masergy’s Unified Enterprise Security™ (UES) is the industry’s first fully integrated, network behavior analysis and
correlation-based security platform. It is the premier threat management system on the market today because it is
the only unified offering that combines the unique integration properties of a security architecture with the adaptive
and predictive data sharing, tracking and analysis capabilities of a network behavior analysis and correlation engine.
Masergy’s UES solution provides true subsystem integration of industry-proven security applications – network
behavior analysis and correlation; intrusion detection and prevention; vulnerability scanning and management;
log management, analysis and monitoring; network access and policy monitoring; and comprehensive threat
management for prioritized network, global and vendor threats and vulnerabilities – within a multi-layered, 21st
century security architecture that spans premise-based, cloud and hybrid network environments. Finally, there’s a
unified security solution that works anytime, anywhere your business operates.
Introduction
In an era of increasing regulatory compliance, where the level of investment in “best-of-breed” corporate IT security
technology is significantly higher than in any previous year, CIOs, Security Chiefs and IT Leaders are asking the same
question: “Why are high profile security breaches still so prevalent?”
To adequately answer that question, one need only review the data. Consider, for example, the recently published
Verizon: 2014 Data Breach Investigations Report of high profile security breaches. It found that, for 95% of all
breaches, readily available evidence existed in an organization’s logs that it had been breached or was in the
process of being breached.
More importantly, the same report also found that:
• The “time to compromise” is shortening due to the success of APTs ability to infiltrate
• The “time to discovery” once a network has been compromised is increasing due to the fact that APTs are designed to evade detection
• The majority of breaches were discovered by a third party or law enforcement, not by the actual organization that was breached
4
Managed Security
• Many organizations were deemed to be compliant with the Payment Card Industry (PCI) Data Security Standard (DSS)
• Less than 10% of these organizations actually discovered the breach on their own.
These are shocking statistics, especially when you consider that IT security budgets rose to 7.9 percent,1 and
Global IT security spending climbed to total $71.1 billion in 2014. With continuously evolving attack profiles and
too many disparate applications and appliances requiring updates on a daily basis, it’s virtually impossible for
network administrators to stay ahead of the curve. This paper will highlight the flaws of a “best-of-breed” approach
to network security, the underlying causes of recent high profile security breaches, and the emergence of Unified
Enterprise Security™ – a comprehensive, holistic approach to network security integration.
The Current Approach to Securing Network: A False Sense of Security
Postmortem analysis by Verizon Business investigators of the underlying causes for a security breach found that
“either the technology employed, processes in place, or dereliction of duty (though unintended) were often the main
causes.2“
These findings are understandable given the current state of the network security market, where corporate IT
security teams are challenged to implement their network security posture by cobbling together discrete security
appliances and applications from a myriad of competing security companies. Such solutions focus on various
specific aspects of network security, leaving the IT department responsible for selecting, integrating, managing,
monitoring and correlating discrete security events, alerts, logs and reports into actionable security threats.
To better understand the underlying reasons for these challenge(s), let’s take a closer look at the typical approach
organizations are taking to secure their enterprise.
1 Gartner: Don’t Be the Next Target — IT Security Spending Priorities 2014
2Verizon: 2014 Data Breach Investigations Report
5
Managed Security
Most organizations focus on four main areas of network security;
1. Perimeter defenses (firewalls, intrusion prevention devices, etc.)
2. Log Management
3. Vulnerability Management
4. Endpoint security
On the surface, a focus on these four defense disciplines seems to be a reasonable approach to securing an
organization’s network. After all, most highly respected data security standards (PCI, SOX, HIPAA, NERC CIP, NCUA,
FISMA or SANS, etc.) require these four basic functions in their directives. However, a closer examination reveals
some serious deficiencies:
Perimeter Defense(s): Beyond provisioning a firewall (FW), the primary network security appliance deployed on
virtually every organization’s network is an intrusion prevention system (IPS). An IPS is a network security appliance
that monitors network and/or system activities for malicious activity. The main functions of intrusion prevention
systems are to identify malicious activity, log information about said activity, attempt to block/stop activity, and then
report any detected activity.
It is important to understand that there are two primary types of underlying technologies used in an IPS:
1. Signature-Based Detection: This method of detection utilizes attack patterns (signatures) that are preconfigured and predetermined. A signature-based intrusion prevention system monitors the network traffic for matches to these signatures. Once a match is found the intrusion prevention system takes the appropriate action. Signatures can be exploit-based or vulnerability-based. Exploit-based signatures analyze patterns appearing in exploits being protected against, while vulnerability-based signatures analyze vulnerabilities in a program, its execution, and conditions needed to exploit said vulnerability.
2. Stateful Protocol Analysis Detection: This method identifies deviations of protocol states by comparing observed events with “predetermined profiles of generally accepted definitions of benign activity. It’s still a signature, but IT organizations often consider SPAD to be something different all together. It reduces false positives, but provides no more protection and can still be evaded.
6
Managed Security
Both of these detection methods are predicated on the notion that loading a small subset (approximately 1,500)
of detection scenarios (also known as “signatures”) from a large (over 60,000) library is the only effective means
available to identify malicious activity. This leaves the organization 97.5% exposed to the known attack methods,
and 100% exposed to any new emerging threats.
To compound the problem, most organizations rely heavily on the IPS manufacturer to select the subset of signatures
to load from their vast library. This conjures the imagination as to how the IPS manufacturer decide which signatures
to select when they have absolutely no idea of what each organization’s network vulnerabilities are? Obviously,
network vulnerabilities will vary greatly from one organization to the next, and IPSs are not designed to detect
network vulnerabilities. Given that less than 2.5% of the signature library can be loaded at one time, what is the
likelihood the right set of signatures will be selected?
There are other concerns to address as well. NSS labs reports that 85% of the IPS signatures loaded are typically
disabled from blocking due to a high false positive rate. When you consider that IPSs are marketed, sold, and
deployed in unintended operation mode, it’s obvious that IT organizations have been lulled into a false sense of
security.
Further, IPSs are deployed at the edge of the network where traffic flows to and from the internet leaving the entire
inside of the network unmonitored / unprotected. Protecting only the perimeter assumes that there is no other
means of entry into the network, which does not take into account mobile devices (laptops, phones, USB drives,
DVDs, etc.). It also does not take into account that users have direct access to the internet from inside the network,
which provides an encrypted connection (i.e. HTTPS) directly into the middle of the network, and the stealthiest
means (e.g. Advanced Persistent Threats) to bypass the organization’s perimeter defenses.
Given the aforementioned, when you think about the industry’s reliance on IPSs to secure their networks, the
approach seems so hopelessly flawed that it’s a wonder that it ever made it to market or became so pervasive.
Regardless, it’s what is currently in use today, and provides a very compelling argument to consider a different
approach.
7
Managed Security
Log Management: Most organizations are collecting and archiving system logs (syslog) in compliance with a data
security standard directive(s) such as PCI, SOX, HIPAA, NERC CIP, NCUA, FISMA, or SANS. Since virtually all network
elements (firewalls, switches, routers, production servers, 3rd party security appliances, etc.) produce syslog
events, the objective of log management is to collect, retain, and regularly review logs (daily) as a means to identify
unauthorized, irregular, or malicious activity.
While there is little doubt that log information can be useful in determining what has already occurred, the notion of
relying on historical log information to detect an attack in progress is undermined for several reasons:
1. Logs analysis relies on the reporting device’s detection capability. For example, when a threat is able to successfully bypass perimeter defenses (as previously discussed) there typically will NOT be a log event generated. Thus, reliance on log information is inherently flawed.
2. Logs tend to be voluminous. Consider that a firewall is capable is generating 1,000,000 events each day. Since most organizations collect logs for hundreds or thousands of devices (FW, IPS, production servers, network infrastructure, etc.) the ability for an organization to adequately review these logs daily becomes unrealistic.
3. Though SIEMs can correlate log events to identify an incident, most IT departments lack the expertise to implement and maintain the heuristics.
4. Logs are historical in nature, and fairly useful for post mortem analysis of a breach. However, some modern attack vectors are designed to not log the fact that the malware/APT has manifested itself onto the host.
Vulnerability Management (VSM): In compliance with most data security standards (PCI, SOX, HIPAA, NERC CIP,
NCUA or FISMA, etc.) most organizations perform periodic vulnerability assessments to identify weaknesses in their
network security posture, with the intent to remediate as time permits. There are a number of types of vulnerability
scanners available today, distinguished from one another by a focus on particular targets. While functionality
8
Managed Security
varies between different types of vulnerability scanners, they share a common core purpose of enumerating
the vulnerabilities present in one or more targets. Vulnerability scanners are a core technology component of
vulnerability management.
While most vulnerability scanners are very good at detecting vulnerabilities, there remain several challenges that
undermine their usefulness:
1. Vulnerability scanning should be performed on a weekly basis to ensure that any new vulnerabilities are identified and remediated before emerging threats are able take advantage of them. However, since vulnerability scanners are typically priced by the number of IPs and the frequency of scans, IT organizations tend use these scanners judiciously in an effort to economize.
2. Scan reports contain a mountain of vulnerabilities to remediate with no prioritized list or relevance to current threats seen on their network. Given that IT organizations are undermanned and underfunded, effort to remediate detected vulnerabilities typically takes a backseat to maintaining business services.
3. Vulnerability Management reports are NOT utilized by any 3rd-party security devices (IDS, IPS, etc.),
and consequently provide no compensating controls to protect those vulnerabilities.
Endpoint Security: The last line of defense for most organizations is endpoint security. Virtually all customers deploy
some form of Antivirus/Anti-Malware software on PCs, laptops, and their trusted computing base (TCB). Some
customers have also deployed Host Intrusion Detection/Prevention agents (HIDS/HIPS) on TCB servers. Beyond
Antivirus/Anti-Malware software, a much smaller percentage of customers (<15%) will employ a more sophisticated
endpoint security solution designed to validate endpoint security compliance prior to allowing client/user machines
access to the network.
Here too we have some serious challenges, as Advanced Persistent Threats (APTs) are purposely designed to
leverage zero day exploits and polymorphism to evade signature detection based technology, and subsequently
infiltrate systems by exploiting the inherent trust between operating system components. As a result, it is well
9
Managed Security
documented that endpoint security solutions catch < 30% of malware.
Lastly, we must also address the risks imposed by the end-user. With the proliferation of web, email and social
media, users are simply one click away from compromising their desktop. When you consider that laptops operate
outside of corporate network defenses, users are even further exposed. In an era of mobile computing, employees
often visit questionable websites and/or utilize free software associated with social media and web applications
that provide fertile ground for the introduction malware, which is then subsequently hand-carried inside the network
when they return to work.
The deficiencies of this current approach to network security can be no better evidenced than by the rise of
advanced persistent threats (APTs) in recent years. The so called “APT” is an acronym commonly applied to any
breach that seemingly emerges from within an organization’s network by targeting the path of least resistance, the
mobile end-user. Once the APT is hand carried into the middle of the network on a compromised laptop, it’s able to
replicate peer-to-peer, roam around the network undetected, and stealthily establish an encrypted connection back
to a hacker’s command and control website.
While APTs are generally associated with many high profile breaches (Home Depot, USPS, Target, etc.), they are far
more prevalent in than you might think. In a 2013 survey conducted by the Information Systems Audit and Control
Association (ISACA), one in five enterprises have experienced an APT attack. This growing awareness of APTs
throughout the IT industry has provided inspiration to augment traditional defenses with advanced threat protection
(ATP) solutions as part of a Defense-in-Depth strategy.
Defense-in-Depth: The Market’s Flawed Attempt to Address APTs
As previously discussed,
there are many challenges
with the current approach to
securing a network best-of-
breed point solutions alone. In
response, the marketplace has
introduced several additional
point solutions in an attempt to
address some of these shortcomings under a strategy of “Defense-in-Depth.”
The idea behind the defense-in-depth approach is to defend a system against any particular attack using several
independent methods. It is a layering tactic, conceived by the National Security Agency (NSA) as a comprehensive
approach to information and electronic security.
10
Managed Security
Defense-in-Depth is originally a military strategy that seeks to delay, rather than prevent, the advance of an
attacker by yielding space in order to buy time. The placement of protection mechanisms, procedures and policies
is intended to increase the dependability of an IT system where multiple layers of defense prevent espionage and
direct attacks against critical systems.
The challenge for Defense-in-Depth is that it relies on the efficacy of the underlying security applications to detect
security events and report upstream to a master controlling entity (presumably a SIEM) that will then analyze and
correlate these disparate events into a deterministic incident. As previously discussed, this notion is flawed due the
inherent limitations of disparate perimeter focused signature-based solutions.
In response to the shortcomings of these signature-based solutions, the marketplace has introduced a number of
promising solutions and technologies intended to augment traditional point solutions currently in place, in support of
the defense-in-depth approach. While these product introductions seem to hold great promise initially, they have all
come up short in the wake of the constantly evolving advanced malware development community.
Let’s take a look at some of these noble attempts to address Advanced Persistent Threats (APTs):
• Network Sandboxing solutions such as Dhamballa™ and FireEye™ are designed to detect infiltration from targeted attacks, after the attack is in the network. Unfortunately this does not stop or remediate threats to endpoints, and requires expert-level security personnel to continuously monitor reported events. Breach-detection systems also require constant tuning to ensure that IT security staff members aren’t being overwhelmed with alerts, which was reported to be the case when Target Corporation was breached, despite its use of a breach-detection product from FireEye. This may necessitate adding highly trained staff that can dedicate time to the product, adding to its overall cost.3 Further, advanced malware developers of APTs have become adept at detecting sandbox environments and employ polymorphism to escape the sandbox undetected. Analysis of the high profile breach at Target Stores™ is clear evidence that APTs have learned to evade network sandboxes like FireEye.
• Software Sandboxing solutions such as Invincea™, Sandboxie™, and Trustware™ are designed to create sandbox environments within the Windows operating system to analyze execution of untrusted applications. They do so by restricting memory and file system resources of the untrusted application and intercepting system calls that could lead to access to sensitive areas of the system being protected. However, advanced malware (APTs) can bypass any sandbox to take advantage of kernel-mode vulnerabilities. Additionally, user-mode malware can escape from any sandbox, permitting it to raise its privileges and disable/bypass other forms of endpoint protection to compromise endpoints, including data theft.
• Web Content Filtering (WCF) solutions are intended to block access to known malicious websites in an effort to protect against web exploits and Trojan attacks. However, they only block known malicious IP addresses, and protection is diminished for mobile users and partners accessing the network.
• Network Access Control (NAC) is meant to ensure that only trusted systems access the network, to quarantine vulnerable systems, and to enforce network segmentation as designed. However, they tend
3TechTarget Article: Breach-detection systems growing more popular despite high costs by Brandon Blevin, November 18, 2014
11
Managed Security
to be too complex to deploy and manage, and NAC false-quarantines are very common. Additionally, NAC does not address remote/mobile users very well.
• Hardware enhanced detection solutions such as McAfee’s Deep Defender™ are designed to load as a boot driver and check for rootkit behaviors before the operating system loads. While this method is fairly effective at detecting and blocking some kernel-mode rootkits, it does NOT block user-mode rootkits. Additionally, the hardware enhanced detection process poses a significant burden on the processor, while only providing limited protection.
• Application Whitelisting solutions are designed to control which applications are allowed to install and run on an endpoint, which is accomplished by matching authorized programs (the whitelist) to a database of sanctioned applications. While whitelisting can be an effective way to block execution of malicious executables, they inhibit users from downloading and using new tools and programs without IT involvement, are not integrated with other security tools, and they make it difficult to comply with business process change requirements. Thus, application whitelisting tends to be more effective for the trusted computing base (TCB) servers where changes are manageable, and it remains largely unusable on end-user systems.
• Security Information / Event Management (SIEM) is a key component in the defense-in-depth strategy. In a security posture comprised of many discrete point solutions, the SIEM is supposed to collect and analyze the logs events of all of subordinate devices using complex user-specified heuristics. Though SIEMs would provide real-time security operation center (SOC) alerting, they are completely reliant on each disparate point solution’s ability to detect and report meaningful events. Given the inherent flaws identified earlier in this paper, SIEMs are simply unable to report on events missed by best-of-breed point solutions. Thus, SIEMs tend to generate enormous amounts of historical data that must be interpreted in to actionable intelligence. Since most IT organizations lack the necessary skills to develop and maintain the SIEM heuristics required to produce actionable intelligence, most SIEMs are eventually utilized to be nothing more than very expensive log management repositories.
The Real Security Problem: Failure to Connect the Dots
Beyond the limitations of each of these point solutions, there are additional considerations worth mentioning. An all
too common misconception is that a network breach is a singular event that occurs during a brief period of time. In
reality, Verizon Business investigators found that 82% of successful breaches were actually preceded by a series
of successive reconnaissance activities, intentionally spanning days weeks and even months in an effort to avoid
detection. These intrusion detection evasion techniques are able to bypass detection by creating different states on
the perimeter’s defenses and/or on the internal targeted servers. The attacker accomplishes this by manipulating
either the attack itself or the network traffic that contains the attack. In this manner, attackers are able to slowly
develop techniques, methods, and even the timing to successfully breach perimeter defenses.
Even though much of this reconnaissance activity can be detected by existing defenses, it tends to be overlooked
because:
1. The number and frequency of these events appear to indicate a cessation of hostile activity, leaving
12
Managed Security
the IT staff with the impression that existing defenses are working, or
2. They simply go unnoticed due to inadequate security monitoring
Simply put, the primary reasons why high profile security breaches are still so prevalent is that:
• There are too many vendors, too many disparate security systems, too many alerts with not enough actionable root-cause and resolution information.
• With most security solutions, there is an inability to connect the dots between an impending attack and its related reconnaissance activity, which can span days, weeks, and even months apart.
• Most security solutions are reactive and focused on explaining what happened, instead of tracking reconnaissance activity over long periods of time and detecting threats before a breach occurs.
• An attack is a complex series of events, and unless someone is monitoring the system, an attack will likely go unchecked.
In addition, the deployment of organizational
resources necessary to successfully operate
in such an environment further stresses IT
departments that are already challenged with squeezing the most out of their minimalist security budgets. These
disparate product, process and budget issues are contributing to a growing movement within the security industry –
one that supports the convergence of security requirements as part of an extensible systemic architecture. It is this
type of approach that analysts believe will enable disparate applications to be seamlessly integrated into a single
system, with unified administration, operations and reporting.
Behavioral-Based Unified Security: A Holistic Approach to Detecting APTs
The concept of a systemic, architectural approach to network security is increasingly gaining traction among leading
security companies. There is also a growing realization that perimeter focused signature-only detection cannot
adequately address the current state of network security attacks. A behavioral approach to deep packet analysis is
now a requirement in order to address zero-day attacks and compensate for the limited number of signatures that
IDS/IPS appliances can actually load.
THE CHALLENGE: IN SEARCH OF A FRESH APPROACH
One of the most important developments in evolution of cyber security is the growing acceptance that cyber-attacks
will continue to evolve and successfully evade traditional detection methods. The notion that developing defenses
derived from the study of successful network security breaches and malware to identify specific behaviors and
attributes (also known as “digital signatures”) so we can interrogate real-time network traffic is so hopelessly
13
Managed Security
flawed, it’s almost funny. Not only is it unrealistic to compare traffic against all known signatures (60,000+), the
ability of attackers to simply modify their behavior to alter the digital signature renders the method impotent. Even
the application of sandboxing and anomaly detection techniques are narrowly applied to identify anomalies to
rigidly defined behaviors such communications protocols, while totally ignoring the infinite complexities of human
behavior. Understanding these facts, cyber attackers intentionally space out related reconnaissance activities,
modify their techniques, and utilize multiple attack platforms to routinely evade detection. Further, both signature
and anomaly detection methods are completely unable to deal with complex behaviors unwittingly introduced via
social engineering techniques, mobile computing, and an ever increasing array portable communication devices.
Therefore, a new detection method capable of analyzing complex systems is required to overcome the limitations of
traditional signature, sandboxing, and anomaly detection methods. A better method would be to develop a system
with the ability to detect emerging behavior(s) within an unknown population sample where normal and abnormal
behaviors are not known, yet they are discernable.
THE BASIS OF EMERGENT BEHAVIOR DETECTION: EXPECT THE UNEXPECTED
The basis for emergent behavior detection is rooted in the simple understanding that if you go in looking for specific
signatures and behaviors you’re likely to only find what you’re looking for. Conversely, you’re likely to totally overlook
new signatures and/or behaviors you have not anticipated. Basically, when you’re trying to anticipate an adversary’s
next move, it is wise to expect the unexpected.
THE ADVANCED PERSISTENT THREAT (APT): AN ESCALATION OF THE CYBERSECURITY ATTACK
An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network
and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than
to cause damage to the network. APT attacks target organizations in sectors with high-value information, such as
national defense, manufacturing and the financial industry. Companies such as Sony, Apple, Target, Home Depot,
USPS, and Chase Financial have all become victims of APTs.
In a simple attack, the intruder tries to get in and out as quickly as possible in order to avoid detection by the
network’s intrusion detection system. In an APT attack, however, the goal is not to get in and out but to achieve
ongoing access. To maintain access without discovery, the intruder must continuously rewrite code and employ
sophisticated evasion techniques such as polymorphism. Some APTs are so complex that they require a full time
administrator.
An APT attacker often uses spear-fishing, a type of social engineering access to the network through legitimate
means. Once access has been achieved, the attacker establishes a back door, gather valid user credentials
(especially administrative ones), and move laterally across the network installing more back doors. The back doors
allow the attacker to install bogus utilities and create a “ghost infrastructure” for distributing malware that remains
hidden in plain sight.
14
Managed Security
TRADITIONAL SECURITY APPLICATIONS ARE INSUFFICIENT
Although APT attacks are difficult to identify, the theft of data can never be completely invisible. While some might
then be drawn to conclude that anomaly detection would be sufficient to detect APTs, the post mortem forensic
analysis of APTs clearly indicates a working knowledge of traditional anomaly detection methods and techniques,
and the ability to evade detection.
Traditional anomaly detection is based upon linear systems theory. Where superposition theory is valid for linear
systems, APTs are complex systems that mix specialized utilities and human behavior. Since systems engineers like
to divide and conquer in order to work on complexity at a more manageable level through decomposition, evasion is
possible by avoiding common behaviors. Additionally, systems engineers like to study the behavior of the elements in
order to understand the behavior of the system through reconstruction. However, none of this is valid when dealing
with non-linear (or complex) systems, and the developers of APTs know this.
EMERGENT BEHAVIOR ANALYSIS THEORY
By definition, APTs are best characterized as emergent behavior. By the philosophy as well as the science of
systems theory, emergence is the way complex systems and patterns arise out of a multiplicity of relatively simple
interactions. Therefore, emergent behavior is that which cannot be predicted through analysis at any level simpler
than that of the system as a whole … rendering traditional anomaly detection methods impotent. Better stated,
emergent behavior, by definition, is what’s left after everything else in a complex system has been explained.
Recognizing that a complex network is a form of a self-organizing system, Masergy’s network behavioral analysis
technology uses advanced analysis techniques including isomorphic connectivity patterns in state spaces,
evolutionary combinatorial optimization theory and particle swarm optimization theory, to find the high-level network
activities that emerge from complex systems operating within defined rule sets. This provides a higher-level set of
meta-data that can be used to find unusual or altered operation of lower-level systems that make up the whole,
allowing detection of very low level activities that are the indicators of an APT.
Masergy Unified Enterprise Security™
To address these challenges, Masergy has developed a security solution that actually combines the exceptional
integration capabilities of a security architecture with the adaptive and predictive data sharing, tracking and analysis
capabilities of a network behavior analysis and correlation engine. This uniquely integrated approach is at the heart
of Masergy’s Unified Enterprise Security™ (UES) solution, and enables all security applications to take advantage
of patented, leading-edge behavioral technology. Other advantages of the UES architecture – a single console and
unified reporting, administration, and operational ease-of-use – make this technology particularly attractive to over-
burdened and under-resourced IT departments.
The Unified Enterprise Security architecture provides an extensible platform to incorporate ever expanding security
15
Managed Security
applications. In fact, Masergy has leveraged the UES architecture to incorporate several new security applications,
including behavioral network access policy monitoring, log management and monitoring and emerging Cloud security
applications.
Further, Masergy’s Unified Enterprise Security architecture is very cost-effective since it overlays and complements
a company’s existing network security infrastructure. This modular approach allows customers to mix-n-match
applications, adding additional modules over time, as needed, which helps to maximize their current security
investment.
Masergy Unified Enterprise Security Architecture
True Subsystem Integration
Masergy’s Unified Enterprise Security product portfolio enables true subsystem integration and intelligent, adaptive
information sharing/correlation of detected threats and alerts with detected vulnerabilities between all application
subsystems and appliances. It is this level of architecture-based integration that provides long-term context to
threats and enables early warnings of threats and attack reconnaissance that other solutions cannot see.
Industry-proven application modules – network behavior analysis and correlation; intrusion detection and
prevention; vulnerability scanning and management; log management, analysis and monitoring; network access and
16
Managed Security
policy monitoring; and comprehensive threat management for prioritized network, global and vendor threats and
vulnerabilities – can be deployed as part of a complete security infrastructure or they can be added incrementally,
over time, as an organization’s business and network requirements change. Further, Masergy’s holistic approach to
compliance ensures that customers can
efficiently achieve and maintain ongoing
regulatory compliance within their unique
vertical markets, whether it’s for PCI,
SOX, HIPAA, NERC CIP, NCUA or FISMA
standards.
At the heart of UES is a proprietary
behavioral correlation engine that is
actually the foundation upon which all
other applications are built. This basic
tenet of UES enables each security
application to leverage the rich data
derived from the correlation of weeks of
raw packet data, detected vulnerabilities,
signature detection applications, posted
vendor alerts, globally detected threats,
logs from 3rd party security devices, as
well as network access policy violations.
A true behavioral analysis and correlation
requires:
• Packet data, IDS/IPS alerts, scans, vendor threats, and tracked resources are data feeds to be analyzed and correlated continuously, and tracked over long periods of time.
• Use of raw packet data vs. log files for behavioral analysis. Packets have more data for analysis.
• Data is used for analysis spanning days, weeks and months, which is necessary to correlate seemingly discrete events intentionally spaced-out to avoid detection. The longer the timeframe, the better the analysis can be.
• Analysis is relative to an individual network and adapts to that network. A behavioral system becomes customized to that network without human intervention.
• A behavioral system has learned intelligence, can measure increasing hostility from progressive reconnaissance activity, and predict behaviors that enable it to track developing threats leading up to a breach.
Unified Enterprise Security Software Architecture
17
Managed Security
Architecturally Layered Security Applications
It’s important to not mistake Unified Enterprise Security for a SIM or SEM (SIEM) implementation. A SIEM is a noble
attempt to integrate a collection of security appliances that were never intended to work together. Consequently,
they don’t. The SIEM approach has proven to be a complex, limited, and expensive approach to very loose
integration that has relegated most SIEMs to nothing more than log management platforms.
The Unified Enterprise Security offering is not the aggregation of log information from disparate security appliance
logs/alerts. Instead, it provides twelve (12) unparalleled layers of fully integrated security:
1. 100% PASSIVE SECURITY IMPLEMENTATION – introduces absolutely no additional network latency, and no single point of failure. In practice, network traffic is mirrored to detection devices, allowing easy installation without disruption to network activity.
2. EXTERNAL INTRUSION DETECTION & PREVENTION – detects increasing external hostility from reconnaissance activities, external threats, and other malicious traffic.
3. INTERNAL INTRUSION DETECTION & PREVENTION – designed to automatically align signatures with detected CVEs from the latest vulnerability scan report. Monitors potentially suspicious employee activity, evidence of malware infections, and security policy violations.
4. NETWORK BEHAVIOR ANALYSIS AND CORRELATION – analyzes and correlates all suspicious network traffic received from both internal and external IDS sensors, spanning days, weeks and months. Detects sophisticated intrusion evasion techniques, anomalous patterns, and even new stealth attack methods for which there are no published signatures.
5. BEHAVIORAL-BASED NETWORK ACCESS POLICY CONTROL & MONITORING – behaviorally detects and blocks both internal and external access policy violations in real-time. This capability utilizes shared information between intrusion detection and network behavior analysis subsystems to secure critical assets without deploying any additional hardware or host agent software.
6. UNIFICATION OF EXISTING SECURITY INFRASTRUCTURE – provides real-time monitoring of 3rd party security events and automatic / manual blocking of malicious traffic via native integration with all commercially available firewalls, switches and routers.
7. NETWORK RESOURCE VIOLATION MONITORING – resource violation alerts occur automatically when unrecognized IP addresses (internal or foreign) are detected, and/or when a well-known IP address attempts to access a device for which they have no history of accessing.
8. INTEGRATED VULNERABILITY SCANNING & REPORTING – provides automated vulnerability scanning for detected vulnerabilities in the network infrastructure, critical assets, application servers, client PCs, etc. Detected vulnerabilities are then shared with other subsystems for real-time correlation.
9. REAL-TIME CORRELATION OF SUSPICIOUS NETWORK TRAFFIC WITH DETECTED VULNERABILITIES – activity reported by the integrated vulnerability scanner subsystem is automatically shared with intrusion detection, threat management, network behavioral analysis and network access control subsystems for real-time correlation between disciplines. This capability adds context to potential threats that would otherwise go unnoticed.
18
Managed Security
10. COMPREHENSIVE REAL-TIME LOG ANALYSIS, ARCHIVAL, AND MONITORING – processes log events from firewalls, switches, routers, 3rd party security devices, and application servers using sophisticated policy-based rules to detect anomalous events, security policy violations, changes to account privileges, and the like.
11. LOG MANAGEMENT AND ARCHIVAL – functionality, including comprehensive log searching, reporting, and 2.0Tb of network access storage (NAS) is available to help meet regulatory compliance.
12. COMPREHENSIVE THREAT MANAGEMENT – automatically detects, correlates, and prioritizes detected network threats, global threats, and posted vendor threats with detected vulnerabilities. The resulting prioritized threat remediation list is designed to focus IT remediation teams on the most pressing threats to network security, providing detailed remediation steps, links to patches, vulnerability reports, CVEs, etc. The system is also designed to provide a complete graphical rendering of your entire network security posture, which is automatically updated once the system has empirically verified that the requisite remediation has been completed.
For those organizations following the widely accepted defense-in-depth network security strategy, Masergy’s Unified
Enterprise Security portfolio economically delivers a security layer that augments and holistically provides oversight
of an organization’s security environment without the need to uproot or disrupt its existing security infrastructure.
This self-reliant approach combines real-time flexibility, long-term correlation, and historical trending, with no
maintenance and security business intelligence requirement. This revolutionary behavioral approach is quickly
becoming the industry standard for next generation network security architectures.
Masergy Solutions Overview
As previously mentioned, the Unified Enterprise Security system is built from the ground up using a modular systemic
architecture. It provides a simple and affordable migration strategy because it allows for extensive customization.
For example, a customer may initially choose to mix-n-match components to address gaps or holes their security
posture, then add additional applications or components incrementally, over time, in response to their evolving
network environment.
UNIFIED ENTERPRISE SECURITY - MIX-N-MATCH SOLUTIONS
Available in virtual appliance (VMware® enabled), physical appliance, or hybrid configurations, this modular
approach enables Masergy to cost-effectively introduce new components / applications that address new and
emerging security threats, enabling a company to keep its security infrastructure up to date.
The core Unified Enterprise Security components include:
• A MASTER CONTROL UNIT – The MCU module is a browser-based monitoring console, signature server, cluster manager and Web server that utilizes plug-and-play installation. It contains the custom Web portal that houses all the reports and graphs for the appliance suite, including the security dashboard, intrusion detection and vulnerability scanning reports. The Security Risk Management (SRM) Managed Services™ can also be provisioned through the MCU for thorough and economical risk management on-demand.
19
Managed Security
The Master Control Unit (MCU) is available in three models; M-4000-V virtual appliance software for VMware enabled environments, as a software component of the N-2520-S All-n-One Security Module (ASM), or M-4000-G 1U appliance for typical 10/100/1000Mb networks.
• BEHAVIORAL CORRELATION MODULE – The Behavioral Correlation Module (BCM) identifies and tracks typical network traffic and packet behaviors over long periods of time and automatically sends out alerts for any anomaly. The BCM identifies reconnaissance activity, unknown attacks and zero-day attacks. It also guards against threats from within, providing alerts for resource violations, abuse of privileges and misuse of corporate assets. Its behavioral analytics employ raw packet information through layer 4, detecting early threat activity and maintaining alert logs and behavioral profile information for at least six months – enabling constant monitoring of global attacks and vulnerabilities. The Behavioral Correlation Module (BCM) is available in four models; A-5000-V virtual appliance for VMware enabled environments, as a software component of the N-2520-S All-n-One Security Module (ASM), A-5000-G 1U appliance for typical 10/100/1000Mb networks or A-5110-G 1U appliance for newer 10GbE networks.
• SECURITY DASHBOARD MODULE – The Security Dashboard Module (SDM) provides immediate single-source access to all threat data, including an easy-to-use, instant view of prioritized security threats and the underlying data that created them. The Security Dashboard Module (SDM) correlates data and prioritizes security threats from multiple security, network and server sources, including behavioral alerts from packet data analysis; signature IDS alerts; and vulnerability scans against assets and global alerts. The SDM instantly identifies the most critical network threats, determines the best path for remediation and gathers the data for forensic reporting. Because of its extensible architectural design, the SDM requires no tuning or correlation rules. This means that time is not wasted attempting to integrate complex SIM software with third-party security solutions or implementing, updating and maintaining multitudes of SIM correlation rules. The Security Dashboard Module (SDM) is available in three models; I-6000-V virtual appliance software for VMware enabled environments, as a software component of the N-2520-S All-n-One Security Module (ASM), or I-6000-G 1U appliance for typical 10/100/1000Mb networks.
• DETECTION + PREVENTION MODULE – The Detection + Prevention Module (DPM) is a 100% passive network sensor hosting an intelligent packet inspection and capture system that selects and transfers suspicious packets to the Behavioral Correlation Module (BCM) for further behavior analysis. By employing signature detection technology, deep-packet inspection of layers 1–7 and tunable signatures on a 24/7 basis, the DPM provides for automatic alert analysis and correlation, as well as alert escalation and prioritization; detection of unauthorized access to network resources; countermeasures for denial-of-service attacks; termination of attack sessions via a TCP reset or ICMP unreachable message; probe prevention (defeats or confuses scanning techniques with false responses); and enterprise threat correlation and global threat correlation.
20
Managed Security
The Detection + Prevention Module (DPM) is available in seven models;
▬ N-1001-V virtual appliance for VMware enabled environments
▬ As a software component of the N-2520-S All-n-One Security Module (ASM)
▬ N-1001-S 1U appliance for remote Small Office / Branch Office (SOBO) locations
▬ N-1010-S 1U appliance for 100Mb networks
▬ N-2100-S 1U appliance for 1000Mb networks
▬ N-2101-S 1U appliance for 4000Mb fiber networks
▬ N-2110-G 1U appliance for newer 10GbE networks.
• VULNERABILITY SCANNER MODULE – The Vulnerability Scanner Module (VSM) provides the full benefit of regular security scans that are integrated and correlated with data and alerts from the other appliances, as well as extensive research capabilities. The Vulnerability Scanner module’s extensive reporting includes individual vulnerability reports for each device, with associated risk levels (informational, low, high, and severe) and appropriate links to remediation steps. This module also includes:
▬ Summary and management reports for easier risk mitigation;
▬ On Demand Scanning options: Light – limited port scans that identify common vulnerabilities such as those within DNS, Web, or FTP and SMTP; Heavy – full port scans that look for all known vulnerabilities and potential risk areas; and DOS – scans that identify all dangerous vulnerabilities on the appropriate ports;
▬ A Scan Scheduler – with customizable scanning options for immediate, daily, weekly, monthly, quarterly and annual scans; and
▬ A Private Customer Web Portal -- that allows customers to view alerts, scans, and run reports in real-time.
The Vulnerability Scanner Module (VSM) is available in three models; V-3001-V virtual appliance software for VMware enabled environments, as a software component of the N-2520-S All-n-One Security Module (ASM), or V-3001-S 1U appliance for typical 10/100/1000Mb networks.
• FIREWALL/SYSLOG MODULE – The FSM module provides real-time rules-based syslog analysis for commercially available firewalls and syslog compatible systems, applications and devices. The FSM is integrated with the UES monitoring console and reports. It can match multiple rules based on Boolean logic, time and frequency to develop sophisticated policy oversight and alert on violations. The N-2800-G FSM is configured with 2.0TB of network access storage (NAS) to collect and maintain up to one (1) year of logs per logging source; provides automated back-up to long-term network storage devices; offers log management searching and reporting, and supports up to 1000 syslog devices per FSM; For larger organizations, the N-2810-G FSM is configured with 8.0TB of Raid 10 storage, supporting up to 5000 devices per FSM. The FSM can also be tightly integrated all commercially available firewalls, switches and routers to enable automatic and manual blocking of malicious traffic.
21
Managed Security
The Firewall/Syslog Module (FSM) is available in three models; N-2800-V virtual appliance software for VMware enabled environments, as a software component of the N-2520-S All-n-One Security Module (ASM), or N-2800-S 1U appliance for typical 10/100/1000Mb networks, and/or N-2810-S 1U appliance for larger 10GbE networks.
• NETWORK SECURITY ZONES (Z-1000-G) – The Network Security Zones™ (NSZ) feature defines secure boundaries for managing and monitoring access to information and applications across multiple systems and disciplines – simultaneously delivering unimpeded online services to employees, customers and suppliers. Simply put, the NSZ system defines what an individual can access within the network, at what time and from which location. Any violation of established boundaries will generate an unauthorized access alert. The NSZ system also supports DHCP environments where it’s necessary to track individual users or hosts independent of their IP addresses; protects against various network intrusions and illicit access, whether from inside or out; provides a clear path to enhanced compliance and auditing requirements; handles security and access for remote and mobile workers; and works with drag-and-drop simplicity.
• ON-DEMAND MANAGED SECURITY SERVICES – Masergy’s Security Risk Management (SRM) Managed Services™ provides the flexibility to choose between centrally managed or co-managed services, or a combination of the two based on outsourcing requirements at any point in time. It provides immediate turnkey access to the UES solution with no contract required. SRM Managed Services allows an enterprise to cost-effectively allocate internal resources, while outsourcing network security requirements based on demand. Outsourcing by contract is also available, providing an economical and flexible way to augment a company’s IT security staff with 24x7 managed security services – whether it’s for off-hours, holidays or customized timeframes based on peak management requirements. With or without a contract, SRM Managed Services provides visibility, control and oversight of the entire enterprise security environment; enables actionable remediation information to prevent network security problems as well as dealing with immediate security issues; and offers significant cost savings through reduced capital expenditures, training and staffing.
Masergy Unified Enterprise Security Configurations
As depicted below, each Unified Enterprise Security (UES) system is typically deployed on one All-n-One Security
Modules (ASM) hosting any number of selected virtual machine modules to meet your desired level of security.
Each UES system must contain one (1) Master Control Unit (MCU) providing a private web portal access to unified
administration, monitoring, ticketing and reporting for all deployed UES subsystems. Secure facilities typically
have a limited number of internet connections and should install at least one (1) Detection + Prevention Module
(DPMs) at each internet connection to perform signature detection (IDS), prevention (IPS), and behavioral packet
analysis capture. Additional DPMs can be installed to provide coverage for additional internet connections, whether
collocated or geographically remote locations. It is important to note that DPMs are installed as 100% passive
devices receiving mirrored traffic from monitored network segments, and there is no requirement to integrate any 3rd
party devices.
22
Managed Security
Customer Premise, Cloud, and Hybrid Configurations
The first DPM is installed outside each firewall to monitor network activity at the perimeter. This external DPM is
deployed to detect reconnaissance activity leading up to an attack, initially performing signature detection and then
collecting suspicious network packets for further analysis by the Behavioral Correlation Module (BCM).
It is recommended that a second DPM be installed inside each firewall to monitor suspicious internal network traffic,
outbound traffic to the internet, and correlate with inbound network traffic that makes it through the firewall. Like
the external DPMs, the internal DPMs perform signature detection and then collect suspicious network packets for
further analysis by the Behavioral correlation Module (BCM). Additionally, the DPM will correlate suspicious network
traffic with detected vulnerabilities reported by the Vulnerability Scanner Module (VSM) to identify malicious traffic
targeting vulnerable devices and applications (for example, detecting SSH-1 network traffic targeting a device
vulnerable to a SSH-1 type attack).
Operating within each deployed DPM is an optional network access policy monitoring feature, used to define
secure policies for managing and monitoring access to information and applications across multiple systems and
disciplines. The Network Security Zones (NSZ) feature defines secure access policies for what employees and
groups can access within the network, at what times, and from which location. Any violation of established policies
will generate an unauthorized access alert. The NSZ system also supports DHCP environments where it’s necessary
to track individual users or hosts independent of their IP addresses; protects against various network intrusions and
illicit access, whether from inside or out; provides a clear path to enhanced compliance and auditing requirements;
handles security and access for remote and mobile workers; and works with drag-and-drop simplicity.
As DPMs perform signature IDS and IPS, suspicious network packets are collected and transmitted to the Behavioral
Correlation Module (BCM) for further analysis and behavioral correlation along with the previously collected data for
23
Managed Security
the past 14-30 days. Initially behavioral correlation is performed on the data collected within each DPM. Secondly,
behavioral correlation is performed on the data collected across all deployed DPMs at each secure facility. Finally,
behavioral correlations are performed on the sanitized external data collected across all Masergy customers’ secure
facilities, and this information is fed back into each UES system to provide awareness for global threats that your
network is vulnerable to, but have yet not occurred on your network.
Each secure facility should also have at least one Vulnerability Scanner Module (VSM) deployed to identify and
report vulnerabilities to the Behavioral Correlation Module (BCM) the integrated threat management system known
as Security Dashboard Module (SDM), as well as the Master Control Unit (MCU) for reporting purposes. This is
important to proactively identify vulnerabilities to critical infrastructure at each facility in an effort to remediate
ahead of any potential exploit, as well as to provide visual context and correlation of suspicious network activity
against vulnerable assets.
A key UES component for integrating and unifying existing IT infrastructures, 3rd party security appliances, and
application services is the Firewall Syslog Module™ (FSM). The primary role of the FSM is to process and archive
log events from any log producing device or application based on customized policy-based rules, as well as generate
alerts to the monitoring console for ticketing and incident response. All log events are archived and stored for one
year and are available for searching and analysis via the 2.0Tb – 8.0Tb of onboard storage. Additionally, the FSM
is able to natively integrate with commercially available firewalls, switches, and routers to automatically and/or
manually block and quarantine malicious traffic.
The last and most effective component to deploy at each secure facility is the Security Dashboard Module™ (SDM),
which acts as a fully integrated threat management system, designed to collect, correlate, and prioritize global
network alerts, local network alerts, posted vendor alerts, and detected network vulnerabilities with enterprise
assets. In this manner, threats are assessed, ranked and prioritized to intelligently focus IT resources on remediation
activities. Each prioritized threat provides access to forensic information, a comprehensive list of vulnerable assets,
associated vulnerability reports, and remediation instructions. It is important to note that the Security Dashboard
requires no integration with any third-party products, as it correlates the raw packet level information collected/
analyzed by DPMs, FSMs and BCMs, with the detected assets, vulnerability reports, and posted vendor alerts.
Further, the SDM is fully automated, requires no complex correlation rules to setup, and requires no configuration
and tuning to enable.
Conclusion
For a growing number of organizations concerned by the prevalence of high profile network security breaches,
the answer to the high cost, complexity and uncertainty surrounding network security is within reach: a unified,
behavioral-based security architecture that is extensible, modular, centrally manageable, and scalable. These
capabilities – and more – are inherent in the Masergy Unified Enterprise Security solution.
Masergy is a pioneer in Network Behavior Analysis. We’ve been doing it longer and better than anyone in the
24
Managed Security
industry. We currently serve a prestigious list of Fortune 2000 customers. In our 14 years of operation, we have
maintained a very high managed service renewal rate – well above the industry average. This is the best testament
to the efficacy of our technology, and the superior level of Masergy’s managed security services.
About Masergy
Masergy is the largest independent provider of hybrid network, managed security and cloud communications
solutions for global enterprises. Our patented technology, customizable solutions and unmatched customer
experience are why a growing number of leading organizations rely on Masergy to deliver performance beyond
expectations.